As of November 10, 2025, Phase 1 of the Cybersecurity Maturity Model Certification (CMMC) program is officially in effect. For small businesses in the Defense Industrial Base (DIB), that date marks a turning point: cybersecurity is no longer just a contract clause to acknowledge, it is a condition you must actively meet and maintain to stay eligible for new Department of Defense (DoD) awards.  

Large primes usually have in-house cyber staff, a CISO, and mature governance. Many small and mid-sized contractors, by contrast, are trying to meet the same requirements with a lean IT team, constrained budgets, and a patchwork of documentation. At the same time, small businesses now represent nearly 29% of federal prime contract dollars, a record level of participation that DoD does not want to lose to avoidable cyber risk.  

This blog lays out a practical roadmap for Phase 1 and FY2026: what CMMC really requires, where small businesses struggle, and how to prioritize work, so you stay eligible for contracts while building toward Level 2 maturity. 

What Phase 1 Actually Requires 

Under CMMC 2.0, DoD has simplified the model to three levels:  

  • Level 1 – Foundational: Basic safeguarding for FCI 
  • Level 2 – Advanced: Protection of CUI, aligned with NIST SP 800-171 
  • Level 3 – Expert: Enhanced requirements for the most sensitive missions 

DoD is rolling CMMC into contracts in four phases between November 10, 2025, and November 10, 2028.  

Phase 1 (Nov 10, 2025 – Nov 9, 2026) focuses primarily on:  

  • Level 1 and Level 2 self-assessments for applicable contracts 
  • Posting results and a senior official affirmation in the Supplier Performance Risk System (SPRS) 
  • Limited use of third-party (C3PAO) Level 2 certifications where DoD deems it necessary 

DFARS 252.204-7021 now makes the required CMMC level a condition of award for covered contracts and obligates contractors to maintain that status for the life of the contract. CMMC also flows down: primes must ensure subcontractors that handle FCI or CUI meet the required CMMC level, and subcontractors must submit their own assessments and affirmations in SPRS.  

For FY2026, that means small businesses should assume that any new or recompete DoD work involving FCI or CUI may come up with explicit CMMC language in the solicitation, and plan accordingly. 

Why Phase 1 Is Harder Than It Looks 

On paper, Level 1 sounds simple: 15 “basic safeguarding” requirements from FAR 52.204-21, mapped into 17 CMMC practices. In practice, small businesses run into recurring challenges:  

  • Limited staff to design, implement, and monitor controls 
  • Ambiguity about scope, which systems process FCI or CUI 
  • Documentation debt: policies, inventories, and incident procedures that exist informally but not in writing 
  • Assessment bottlenecks: even before CMMC becomes fully mandatory, demand for C3PAOs and certified assessors is outpacing supply 

As of fall 2025, Cyber AB reports over 80 authorized C3PAOs and several hundred certified assessors, but DoD estimates tens of thousands of organizations will ultimately need Level 2 certification. That imbalance means small businesses cannot assume they will “find an assessor later” – they need to build internal readiness now. 

A Practical Roadmap for Level 1 Success 

If your contracts involve only FCI, Level 1 is your starting point. A realistic, ordered approach for FY2026 looks like this: 

1. Confirm scope 

  • Identify all systems, applications, and users that touch the FCI. 
  • Keep the scope as small as reasonably possible; fewer systems mean fewer controls to manage. 

2. Implement all 15 FAR basic safeguards

These map to 17 CMMC Level 1 practices and must be fully implemented at award; POA&Ms are not allowed at Level 1. Focus on: 

  • Multi-factor authentication for remote and privileged access 
  • Boundary protections (firewalls, secure remote access, disabling unnecessary services) 
  • Endpoint hygiene: anti-malware, patch management, device hardening 
  • Backups and secure storage for key systems 
  • Least-privilege user access and periodic access reviews 
  • Basic security awareness training for all users 

3. Establish minimum documentation

Even at Level 1, assessors (and contracting officers) will expect to see: 

  • An access control policy that matches how accounts are managed 
  • A simple incident reporting process (who gets called when something goes wrong) 
  • system and user inventory for in-scope systems 

4. Perform and record your self-assessment

Use the official Level 1 self-assessment methodology and ensure your answers match reality; over-optimistic scoring now can create False Claims Act exposure later.  

5. Submit status and affirmation in SPRS

For relevant solicitations, contracting officers will check SPRS for your current CMMC status. No entry, no award, regardless of your technical capabilities.  

For most small FCI-only environments, this is achievable in months, not years – if the work is planned and resourced. 

Preparing Now for Level 2 

If you handle CUI, the bar is higher. CMMC Level 2 is built on NIST SP 800-171, which defines 110 security requirements across 14 control families (access control, audit, configuration management, incident response, and more).  

Phase 1 allows many Level 2 organizations to begin with self-assessments, but Phase 2 and beyond will bring broader requirements for C3PAO-led certifications for higher-risk contracts. Given current assessor capacity, a realistic approach is: 

  • Start 6–12 months before you expect a Level 2 requirement in a key contract. 
  • Build and maintain a living System Security Plan (SSP) that clearly explains: 
  • Where CUI lives, and how it is segmented from the rest of your network 
  • How each of the 110 requirements is implemented – or why not, if not applicable 
  • Use POA&Ms sparingly for limited, lower-risk gaps with concrete completion dates; they cannot be a substitute for core controls.  
  • Prioritize identity and access management, logging/monitoring, vulnerability management, and incident response testing; these are frequent problem areas in early assessments according to C3PAO commentary and Cyber AB town halls.  

Level 2 is not “Level 1 plus a few extras.” It is a full security program with governance, technology, and evidence. 

Common Pitfalls We See in Early CMMC Efforts 

Across small and mid-sized contractors, we repeatedly see patterns that delay or disrupt CMMC progress: 

  • Writing policies but not enforcing them in daily operations 
  • Misclassifying FCI and CUI, either over-scoping (too expensive) or under-scoping (non-compliant) 
  • Poor evidence management, screenshots and ad-hoc notes that cannot be reproduced at assessment time 
  • Buying tools without assigning owners, processes, or metrics 
  • Treating CMMC as a “one-time project” instead of an ongoing obligation with annual affirmations in SPRS 

Avoiding these traps is often the difference between a smooth assessment and a painful rework cycle. 

Conclusion: FY2026 Is the Year to Move from Intention to Execution 

CMMC is no longer a theoretical future state. Phase 1 is here; clauses are appearing in solicitations, and contracting officers are looking at SPRS as part of award decisions.  

For small businesses, the path forward is clear: 

  • Stabilize Level 1: Implement all 15 safeguards, document them, and get your self-assessment and affirmation into SPRS. 
  • Plan Level 2 early if you touch CUI: Build your SSP, prioritize high-impact controls, and schedule your journey toward certification. 
  • Treat CMMC as an ongoing program, not a one-off checklist. 

If you are unsure where to start, engaging a partner that lives at the intersection of federal contracting, cybersecurity, and identity governance can compress timelines and reduce risk. 

iQ GovSolutions is already helping federal contractors and DIB small businesses build CMMC-aligned roadmaps. If you would like to pressure-test your current posture or map requirements for an upcoming recompete, we invite you to schedule a CMMC readiness discussion tailored to your FY2026 pipeline. 

 

Talk To Our Experts!